Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

crypto isakmp key invalid input. not able to add pre-share key to cisco asa



I am setting up a site to site VPN using 2 cisco asa the remote site is configured with a dynamic IP and the main office with a static IP.


after the initial ISAKMP setup: on remote asa


crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 86400


I am running the following command to add the pre-share key:

crypto isakmp key xxxxxxxxx address

but I am getting an error:

invalid input under "key"

any idea?




Everyone's tags (2)

Hello, If you are seeting up



If you are seeting up the side has static IP address, and we are talking about an ASA and not a router, that command you are setting is not used on ASA, it is for IOS routers, so to set up the tunnel group for dynamic connections you will have to this:


1. Set up the pre-shared key for Dynamic connections(

tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key <Pre_shared key value>


2. The create a transform set and a dynamic conenction associated to it:


crypto ipsec transform-set myset esp-3des esp-md5-hmac --> this has to match the transform set of the ASA placed on the other side 

crypto dynamic-map cisco 10 set transform-set myset  --> Dynamic Map associated to the Transform set


3. The you will have to associate the correspondent Dynamic Map to a Crypto MAP:


crypto map dyn-map 2000 ipsec-isakmp dynamic cisco 


This is all you have to do on the Dynamic Side.


Please don´t forget to rate


Best Regards,


David Castro,





CreatePlease login to create content